About Conficker

On October 23, 2008, Microsoft released a critical security update,
MS08-067, to resolve a vulnerability in the Server service of Windows that, at the time of release, was facing targeted, limited attack. The vulnerability could allow an anonymous attacker to successfully take full control of a vulnerable system through a network-based attack, the sort of vectors typically associated with network "worms." Since the release of
MS08-067, the Microsoft Malware Protection Center (MMPC) has identified the following variants of
Win32/Conficker:

Protecting PCs from Conficker

Apply the security update associated with
MS08-067. View the security bulletin for more information about the vulnerability, affected software, detection and deployment tools and guidance, and security update deployment information.

Check for updated protections for security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. The Microsoft Active Protection Program (MAPP) provides partners with early access to Microsoft vulnerability information. For a list of partners and links to their active protections, please visit the
MAPP Partners page.

Disable the AutoPlay feature through the registry or using Group Policies as discussed in
Microsoft Knowledge Base Article 967715. Microsoft released
Security Advisory 967940 to notify users that the updates to allow users to disable AutoPlay/AutoRun capabilities have been deployed via automatic updating channels.NOTE: Windows 2000, Windows XP, and Windows Server 2003 customers must deploy the update associated with
Microsoft Knowledge Base Article 967715 to be able to successfully disable the AutoRun feature. Windows Vista and Windows Server 2008 customers must deploy the security update associated with Microsoft
Security Bulletin MS08-038 to be able to successfully disable the AutoRun feature.

Cleaning Systems of Conficker

Conficker Timeline

On November 21, 2008, the MMPC identified
Worm:Win32/Conficker.A. This worm seeks to propagate itself by exploiting the vulnerability addressed in
MS08-067 through network-based attacks. The MMPC added signatures and detection to Microsoft Forefront, Microsoft OneCare, and the Windows Live OneCare Safety Scanner on the same day.

On December 29, 2008, the MMPC identified the second variant,
Worm:Win32/Conficker.B, and added signatures and detection to Microsoft Forefront, Microsoft OneCare, and the Windows Live OneCare Safety Scanner on the same day.NOTE:
Worm:Win32/Conficker.B can be successful against systems that have applied the security update associated with
MS08-067.

On February 12, 2009, Microsoft announced a U.S. $250,000 reward for information that results in the arrest and conviction of those responsible for illegally launching the Conficker malicious code on the Internet. Microsoft's reward offer stems from the company's recognition that the Conficker worm is a criminal attack. Microsoft wants to help the authorities catch the criminals responsible for it. Residents of any country are eligible for the reward, in accordance with the laws of that country, because Internet viruses affect the Internet community worldwide.

Individuals with information about the Conficker worm are encouraged to contact their international law enforcement agencies. Additionally, Microsoft has implemented an Antivirus Reward Hotline, +1-425-706-1111, and an Antivirus Reward Mailbox,
avreward@microsoft.com, where tips can be shared.